PT-2026-40543 · Esm.Sh · Esm.Sh

Donttrytofindme

·

Published

2026-05-12

·

Updated

2026-06-25

·

CVE-2026-44594

CVSS v3.1

7.5

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Name of the Vulnerable Software and Affected Versions esm.sh versions 137 and earlier
Description A Local File Inclusion (LFI) issue exists in the esbuild plugin's handling of the browser field within the package.json file. An attacker can publish a malicious npm package that leverages ../ sequences in the browser field to remap module paths. Because the plugin fails to perform a second validation check after this remapping, the server can be forced to read and return arbitrary files from the host filesystem during the build process. These files may appear in the bundled JavaScript output or the sourcesContent array of the source map. The impact includes the potential exposure of sensitive files, such as the config.json file, which may contain S3 storage credentials and npm registry authentication tokens.
Recommendations Update to a version later than 137. As a temporary mitigation, restrict the use of the browser field in package.json for untrusted npm packages.

Exploit

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-44594
GHSA-RG65-45M7-HQ57
GO-2026-5620

Affected Products

Esm.Sh